Don McCurdy

I've been expecting something like this since the XZ hack, but still ... frustrated/annoyed/sad to see Microsoft and 13 (!) partners jointly announcing that their answer is to “educate” open source maintainers.

It's nice that they're compensating maintainers for the time spent on that training, but ... compliance with corporate security policies is still a whole lot of ongoing, unpaid work after that? Sigh.

https://github.blog/news-insights/company-news/announcing-github-secure-open-source-fund/

Announcing GitHub Secure Open Source Fund: Help secure the open source ecosystem for everyone

Applications for the new GitHub Secure Open Source Fund are now open! Applications will be reviewed on a rolling basis until they close on January 7 at 11:59 pm PT. Programming and funding will begin in early 2025.

The GitHub Blog
Nov 20, 2024 at 1:51amWeb
Show threadDon McCurdyNov 20, 2024

If your company relies on open source software and wants to support maintainers, please don't do it this way.

Better models include:

- Tidelift
- Open Source Pledge
- Sovereign Tech Fund Fellowship for Maintainers

Show threadliam o 🦆Nov 20, 2024
@donmccurdy omg, yes, this.
XZ didn't happen because of a maintainer not having the right training or education, it happened because the maintainer didn't have the bandwidth to support the project. As much is obvious from the postmortem.
Show threadAral BalkanNov 20, 2024
@donmccurdy Man, I’d have expected better from a trillion-dollar surveillance capitalist that trains its AI on your code.
Show threadLutin DiscretNov 20, 2024
@donmccurdy and @copiepublique (if you are a french company)
Show threadDon McCurdyNov 20, 2024
@lutindiscret @copiepublique wasn’t aware of this, thank you!
Show threadElon Musk Nov 20, 2024

@donmccurdy code from spicy autocomplete always improves my confidence

> hands-on learning of security principles, tools like GitHub Copilot and Copilot Autofix to help improve security posture, reduce security debt, and improve confidence of downstream users

Show threadMorten LinderudNov 20, 2024

@donmccurdy

> Maintainers will get hands-on learning of security principles, tools like GitHub Copilot and Copilot Autofix to help improve security posture, reduce security debt, and improve confidence of downstream users.

🫠

Show threadOliverUvNov 21, 2024

@Foxboron @donmccurdy

fucking lmao

Show threadKrzysztof KozlowskiNov 21, 2024
@donmccurdy Copilot training and "3-week program consisting of a 5-10 hour commitment each week" is exactly what community needs to fix cases like XZ with busy maintainer bullied by bad actors.

Microsoft, are you ill? Are you just joking here around or just want to sell your crapy Copilot? This is just an insult to Open Source maintainers.

@martin.social You do not see how inappropriate this is?
Martin Woodward

Martin Woodward's Social Links